Update-Divi-Elegant-Themes-Security-Issue

Security Issue in Elegant Themes Divi, Extra and Divi Builder

by Jordan | Aug 4, 2020 | Uncategorized | 0 comments

What happened?

An email was sent out by Elegant Themes today August 3rd, 2020 about a security issue in a number of their products. The security issue allows a logged user with access to the Divi Builder to upload disallowed files. One a disallowed file is uploaded, the attacker could then further exploit WordPress or the hosting account the WordPress site is located on.

WordFence Blog Post – https://www.wordfence.com/blog/2020/08/critical-vulnerability-exposes-over-700000-sites-using-divi-extra-and-divi-builder/
Elegant Themes Email – https://us7.campaign-archive.com/?u=9ae7aa91c578052b052b864d6&id=cb6b4b1ed3

What should you do?

If you’re running Divi or Extra theme, update them immediately. If you for some reason are just using the Divi Builder plugin, update it immediately.

However, if you don’t have WordPress accounts with access to Divi builder, then your action doesn’t have to be immediate. The only way an attacker can exploit this security issue is by having a login that can access the Divi builder.

Need Help with your WordPress site?

If you have issues with your WordPress site or require a WordPress export, then we’ve got you covered! Fill out the form below and someone will be in touch with you.

Elegant Themes Handled this…Properly?

This was handled properly, but there are definitely some things they could have done better. This wasn’t posted on the WPScan Vulnerability Database right away, but it’s listed now. I had reached out to their support chat and advised they should submit this to WPDB right away so that all the various security plugins pull in the vulnerability and report on it.

Elegant Themes (Divi 3.0 – 4.5.2, Extra 2.0 – 4.5.2, Divi Builder 2.0 – 4.5.2) – Authenticated Arbitrary File Upload – https://wpvulndb.com/vulnerabilities/10342

Email From Elegant Themes

Here’s the full email from elegant themes.

Elegant Themes Security Update

Today Divi, Extra and the Divi Builder plugin were updated to fix a security vulnerability. Updating these themes and plugins to their latest versions will fix the problem and keep your website secure.

The Problem

The builder lacked sufficient file type checks in the Divi Portability system, allowing for arbitrary file uploads. This is a critical security issue that could allow logged-in contributors, authors and editors with access to the builder to upload disallowed files to the server, leading to further exploit.

This vulnerability was discovered by WordFence in an internal audit and responsibly disclosed to our team, allowing us to fix the problem before it had been actively exploited.

Are You Affected?

Every website with potentially untrustworthy users that have access to the builder using Divi version 3.0 and above, Extra 2.0 and above or Divi Builder version 2.0 and above are affected and should update to the latest product versions. Product versions 4.5.3 include the security patch.

How To Fix It

Updating your themes and plugins will fix this problem. You can update your themes or plugin from within your WordPress dashboard, or you can download the latest versions from the members area and update them manually.

What If You Can’t Update Right Now?

If you are unable to update your themes/plugins right away, you can use our security patcher plugin to patch the vulnerability without updating your products. This is a free download for all customers. Installing this plugin will fix the problem, and you can continue to use the security patcher plugin until you are able to update your products to their latest versions.

Has Your Account Expired?

We are making these updates available for free to all expired accounts. Even if your account has expired, you can still update your themes or plugins to their latest versions via your WordPress dashboard. Expired accounts will not be restricted from updating.

We Are Here To Help

Security is extremely important to us and we take a number of precautions to help mitigate issues like this. We will continue to work hard to prevent similar mistakes from happening in the future.

If you have any questions or concerns, please know that our virtual doors are always open. If there is anything we can do to help, just let us know.

Best Wishes,
Nick Roach
www.ElegantThemes.com

Author

Jordan

Jordan has over 20 years of experience in Information Technology, largely spent at a leading Canadian children’s hospital within their research institute. His technical background is vast and includes networking, systems architecture, client-side support, server administration and management of technical assets.

Looking for assistance with technology?

If you found this article helpful, or are looking to for help with implementing the discussed technology in this article. Book a free 15-minute Consultation with someone from our team to discuss your needs!

📅 Book Consultation

Want regular news and updates right to your inbox?

To stay up to date with the latest technology news and trends, and receive updates about new products and services. Please sign up for our newsletter, you won't be spammed! We promise!

Security Issue in Elegant Themes Divi, Extra and Divi Builder

What happened?

What should you do?

Need Help with your WordPress site?

Elegant Themes Handled this…Properly?

Email From Elegant Themes

Categories

Author

Jordan

Other Articles

Slow Computer? Start Fresh with Clearing your Computers Operating System

What is Cloudflare?

Your Cell Phone May be at Risk; The Clever Way Thieves Easily Steal your 2FA Passwords

New Website? Consider the impact it has on Google and your sitemap.

Looking for assistance with technology?

Want regular news and updates right to your inbox?

Success!

Helpful Links

Contact

Jordan Trask